[TLS] TSV ART review of draft-ietf-tls-sni-encryption
Bernard Aboba <bernard_aboba@hotmail.com> Mon, 09 September 2019 19:48 UTC
Return-Path: <bernard_aboba@hotmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0E54120048; Mon, 9 Sep 2019 12:48:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.124
X-Spam-Level:
X-Spam-Status: No, score=-1.124 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bX1dzTjewufE; Mon, 9 Sep 2019 12:48:08 -0700 (PDT)
Received: from NAM05-DM3-obe.outbound.protection.outlook.com (mail-oln040092014061.outbound.protection.outlook.com [40.92.14.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E3641200A4; Mon, 9 Sep 2019 12:48:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RINvPJx8KBQHNfve254eaXJcntV3umesM1i6nz/r66RT3C760UoLKzJdujFesfIccnkSfdwQ0f0ZiPnGFbj4iCjvdcpvYTdfQCeB+dyF3YzOwteVq1CfRK0bxniGLMEcfOIMrTZld66kVmLu/KDXAoqEkVRkck4xj4gLQurgGbwUrdIjjzFyXvfhj0AaEnJTRstxCXIlS4UjX0Bf8EhrCdg+gqtHKGcKV4sZzWUDsx4B/zu7nBf3+RQeYwm/zy8g15b1TtFHlQe6EB9H0yb4kZHO/aSIsgZHW4hWeieIcGClOLfmlnIY0uCXFwbVQlDj6y1LJNiMbFKZ14ZNxp2q3A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mqhciNhCBZp0DW2/D5uUzap1r0mIaBrniKW0tVDjr6g=; b=M/xtb1UWwqWiUfsukVP+UKKXCM1cQwwEaQkvzMaR+9bVRsgy3MQzyUL6QvflnBassJ3hMI4snxcpv0FTBldNVMSuKzQC//X6kgh62jpr+iPwD1NceqqkY21f7p63q8AlBbnX0TZ3vQ6PoenIRXTnlbZsViawqW8qqPN/eui/Fq9+HntTDABKeP3w2NLtBZtRULc03j9kPlRCagPlVXcDc5n/LWzdBRAwAsnRuS4hTO88zsMXSqDCQsFEUevGAUz45YPNuLrBlExgeXt6P5rsDrHtlXV+MqGJsO0SDLBbn9CpyT60uPrrEYhQB3knO9jrBo/6ysNzD8lxolILAxiyhg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mqhciNhCBZp0DW2/D5uUzap1r0mIaBrniKW0tVDjr6g=; b=R/bwFS/ffoEo9WKKH25VRXvvSpJ7nwI8OUlbmPw6UA08YdQI4BEEDeK86oWcE/D+eF++U+Dwu892enjdYZybLQkBo2KwQeUpAh0E6hIgKxlBLGr8Ce1Cwr58IrejUH7P0AjBEja3zo9Go26RnA/XYa0qMpccqHcYzFum4CZmyZGwXn1UeoJYhqbA/VoK4rDAJnM9YxzvBgvZfRcBZlSlj+I5uE4OsO9ZQZ87FU48igqxzJqka+oX71EHP2lopc0ZA4Ns9eVs945l2soY5lTZURliy9KArQRQjsT3dsTwg5mvN1AUdE/IdvU1l9GyTGakPRe82/pTnBskqd1UcYal7A==
Received: from CO1NAM05FT020.eop-nam05.prod.protection.outlook.com (10.152.96.58) by CO1NAM05HT101.eop-nam05.prod.protection.outlook.com (10.152.97.47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2263.6; Mon, 9 Sep 2019 19:48:07 +0000
Received: from BYAPR06MB5558.namprd06.prod.outlook.com (10.152.96.55) by CO1NAM05FT020.mail.protection.outlook.com (10.152.96.128) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2263.6 via Frontend Transport; Mon, 9 Sep 2019 19:48:07 +0000
Received: from BYAPR06MB5558.namprd06.prod.outlook.com ([fe80::7440:14e3:185f:4e9f]) by BYAPR06MB5558.namprd06.prod.outlook.com ([fe80::7440:14e3:185f:4e9f%7]) with mapi id 15.20.2241.018; Mon, 9 Sep 2019 19:48:07 +0000
From: Bernard Aboba <bernard_aboba@hotmail.com>
To: "tsv-art@ietf.org" <tsv-art@ietf.org>, "draft-ietf-tls-sni-encryption.all@ietf.org" <draft-ietf-tls-sni-encryption.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: TSV ART review of draft-ietf-tls-sni-encryption
Thread-Index: AQHVZ0dAw54F3SkHOEWC+8gdp2nspA==
Date: Mon, 09 Sep 2019 19:48:07 +0000
Message-ID: <BYAPR06MB55586171004B46D9F92E1EFC93B70@BYAPR06MB5558.namprd06.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-incomingtopheadermarker: OriginalChecksum:871452D1664160524561F708A8E750984253DBE53729D80DE8C75D262AC656B0; UpperCasedChecksum:7901A87D2594E3C70BEFEAA82E7E78F34C6CE7F3568376696AF4057E2A6EC32A; SizeAsReceived:6794; Count:40
x-tmn: [PiFo0li4CjoAgCGf81YNC70ChYr4cv+D161huS/vJ+w9RytMe3gtnu3j0UBrxK/I]
x-ms-publictraffictype: Email
x-incomingheadercount: 40
x-eopattributedmessage: 0
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(5050001)(7020095)(20181119110)(201702061078)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031323274)(2017031324274)(2017031322404)(1601125500)(1603101475)(1701031045); SRVR:CO1NAM05HT101;
x-ms-traffictypediagnostic: CO1NAM05HT101:
x-microsoft-antispam-message-info: wO+beiPOeJWG0derjzMeZFrzInF37yM3j3DUKXlNODzqP7vAn6eh/CIqz2CG2iomV9PFFneLfcviuJXzkh9jrLsDGSwxbl6CgZo/tSX6ZWNoMtx5De+o8fvz+HnF2R2DTXrWYbRX9MgffPzpiOQV53Q6+BBrE1tpo80iBK00CVmlREW5lRjQFAlX9hXjOqa8
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BYAPR06MB55586171004B46D9F92E1EFC93B70BYAPR06MB5558namp_"
MIME-Version: 1.0
X-OriginatorOrg: hotmail.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: e7692979-49ee-4121-39cb-08d7355ea2cc
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Sep 2019 19:48:07.0405 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1NAM05HT101
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/elGVRsQBl11qjLP9JjBJcDM-xwM>
Subject: [TLS] TSV ART review of draft-ietf-tls-sni-encryption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Sep 2019 19:48:11 -0000
Document: draft-ietf-tls-sni-encryption Reviewer: Bernard Aboba Review result: Ready with Nits This document has been reviewed as part of the transport area review team's ongoing effort to review key IETF documents. These comments were written primarily for the transport area directors, but are copied to the document's authors and WG to allow them to address any issues raised and also to the IETF discussion list for information. When done at the time of IETF Last Call, the authors should consider this review as part of the last-call comments they receive. Please always CC tsv-art@ietf.org if you reply to or forward this review. I have not identified any transport related issues. NITS Expansion of acronyms on first use: Abstract: TLS Section 1: DNS Section 2.1: ISP, QoS, MITM Section 2 s/mutiple/multiple/ Section 2.1 s/fradulent/fraudulent/ Section 3.6 The downside is the the client will not verify the identity of the fronting service with risks discussed in , but solutions will have to mitigate this risks. [BA] Several problems with this sentence: s/the the/the/ s/this risks/the risk/ s/discussed in ,/discussed in [REF-TBD],/ Section 3.7.1 This section seems somewhat out of place in a section on Security and Privacy Requirements for SNI Encryption, given that it relates to hiding of the ALPN, and the text admits a weak case for linking the two problems: Using the same technique for hiding the ALPN and encrypting the SNI may result in excess complexity. It might be preferable to encrypt these independently. You might consider moving this section to Section 4.3.1, under Section 4.3 Related Work. Section 5 The first paragraph of this section strikes me as being potentially better suited to inclusion in Section 1 Introduction. Replacing clear text SNI transmission by an encrypted variant will improve the privacy and reliability of TLS connections, but the design of proper SNI encryption solutions is difficult. This document does not present the design of a solution, but provides guidelines for evaluating proposed solutions.
- [TLS] TSV ART review of draft-ietf-tls-sni-encryp… Bernard Aboba
- Re: [TLS] TSV ART review of draft-ietf-tls-sni-en… Christian Huitema
- Re: [TLS] TSV ART review of draft-ietf-tls-sni-en… Bernard Aboba